setup.sh revision 1.1.1.4
1 #!/bin/sh -e 2 # 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # This Source Code Form is subject to the terms of the Mozilla Public 6 # License, v. 2.0. If a copy of the MPL was not distributed with this 7 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 # 9 # See the COPYRIGHT file distributed with this work for additional 10 # information regarding copyright ownership. 11 12 # shellcheck source=conf.sh 13 . "$SYSTEMTESTTOP/conf.sh" 14 15 echo_i "ns6/setup.sh" 16 17 setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22 } 23 24 private_type_record() { 25 _zone=$1 26 _algorithm=$2 27 _keyfile=$3 28 29 _id=$(keyfile_to_key_id "$_keyfile") 30 31 printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" 32 } 33 34 35 # Make lines shorter by storing key states in environment variables. 36 H="HIDDEN" 37 R="RUMOURED" 38 O="OMNIPRESENT" 39 U="UNRETENTIVE" 40 41 # The child zones (step1, step2) beneath these zones represent the various 42 # steps of unsigning a zone. 43 for zn in going-insecure.kasp going-insecure-dynamic.kasp 44 do 45 # Step 1: 46 # Set up a zone with dnssec-policy that is going insecure. 47 setup step1.$zn 48 echo "$zone" >> zones 49 T="now-10d" 50 ksktimes="-P $T -A $T -P sync $T" 51 zsktimes="-P $T -A $T" 52 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 53 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 54 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 55 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 56 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 57 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 58 59 # Step 2: 60 # Set up a zone with dnssec-policy that is going insecure. Don't add 61 # this zone to the zones file, because this zone is no longer expected 62 # to be fully signed. 63 setup step2.$zn 64 # The DS was withdrawn from the parent zone 26 hours ago. 65 Trem="now-26h" 66 ksktimes="-P $T -A $T -P sync $T" 67 zsktimes="-P $T -A $T" 68 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 69 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 70 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 71 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 72 # Fake lifetime of old algorithm keys. 73 echo "Lifetime: 0" >> "${KSK}.state" 74 echo "Lifetime: 5184000" >> "${ZSK}.state" 75 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 76 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 77 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 78 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 79 done 80 81 # 82 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 83 # algorithm rollover. 84 # 85 86 # Step 1: 87 # Introduce the first key. This will immediately be active. 88 setup step1.algorithm-roll.kasp 89 echo "$zone" >> zones 90 TactN="now" 91 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 92 zsktimes="-P ${TactN} -A ${TactN}" 93 KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 94 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 95 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 96 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 97 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 98 private_type_record $zone 5 "$KSK" >> "$infile" 99 private_type_record $zone 5 "$ZSK" >> "$infile" 100 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 101 102 # Step 2: 103 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 104 setup step2.algorithm-roll.kasp 105 # The time passed since the new algorithm keys have been introduced is 3 hours. 106 TactN="now-3h" 107 TpubN1="now-3h" 108 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 109 # now - 3h + 6h + 1h + 1h = now + 5h 110 TsbmN1="now+5h" 111 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 112 zsk1times="-P ${TactN} -A ${TactN} -I now" 113 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 114 zsk2times="-P ${TpubN1} -A ${TpubN1}" 115 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 116 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 117 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 118 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 119 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 120 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 121 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 122 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 123 # Fake lifetime of old algorithm keys. 124 echo "Lifetime: 0" >> "${KSK1}.state" 125 echo "Lifetime: 0" >> "${ZSK1}.state" 126 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 127 private_type_record $zone 5 "$KSK1" >> "$infile" 128 private_type_record $zone 5 "$ZSK1" >> "$infile" 129 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 130 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 131 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 132 133 # Step 3: 134 # The zone signatures are also OMNIPRESENT. 135 setup step3.algorithm-roll.kasp 136 # The time passed since the new algorithm keys have been introduced is 9 hours. 137 TactN="now-9h" 138 TretN="now-6h" 139 TpubN1="now-9h" 140 TsbmN1="now-1h" 141 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 142 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 143 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 144 zsk2times="-P ${TpubN1} -A ${TpubN1}" 145 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 146 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 147 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 148 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 149 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 150 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 151 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 152 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 153 # Fake lifetime of old algorithm keys. 154 echo "Lifetime: 0" >> "${KSK1}.state" 155 echo "Lifetime: 0" >> "${ZSK1}.state" 156 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 157 private_type_record $zone 5 "$KSK1" >> "$infile" 158 private_type_record $zone 5 "$ZSK1" >> "$infile" 159 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 160 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 161 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 162 163 # Step 4: 164 # The DS is swapped and can become OMNIPRESENT. 165 setup step4.algorithm-roll.kasp 166 # The time passed since the DS has been swapped is 29 hours. 167 TactN="now-38h" 168 TretN="now-35h" 169 TpubN1="now-38h" 170 TsbmN1="now-30h" 171 TactN1="now-29h" 172 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 173 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 174 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 175 zsk2times="-P ${TpubN1} -A ${TpubN1}" 176 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 177 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 178 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 179 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 180 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 181 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 182 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 183 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 184 # Fake lifetime of old algorithm keys. 185 echo "Lifetime: 0" >> "${KSK1}.state" 186 echo "Lifetime: 0" >> "${ZSK1}.state" 187 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 188 private_type_record $zone 5 "$KSK1" >> "$infile" 189 private_type_record $zone 5 "$ZSK1" >> "$infile" 190 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 191 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 192 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 193 194 # Step 5: 195 # The DNSKEY is removed long enough to be HIDDEN. 196 setup step5.algorithm-roll.kasp 197 # The time passed since the DNSKEY has been removed is 2 hours. 198 TactN="now-40h" 199 TretN="now-37h" 200 TremN="now-2h" 201 TpubN1="now-40h" 202 TsbmN1="now-32h" 203 TactN1="now-31h" 204 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 205 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 206 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 207 zsk2times="-P ${TpubN1} -A ${TpubN1}" 208 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 209 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 210 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 211 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 212 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 213 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 214 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 215 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 216 # Fake lifetime of old algorithm keys. 217 echo "Lifetime: 0" >> "${KSK1}.state" 218 echo "Lifetime: 0" >> "${ZSK1}.state" 219 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 220 private_type_record $zone 5 "$KSK1" >> "$infile" 221 private_type_record $zone 5 "$ZSK1" >> "$infile" 222 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 223 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 224 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 225 226 # Step 6: 227 # The RRSIGs have been removed long enough to be HIDDEN. 228 setup step6.algorithm-roll.kasp 229 # Additional time passed: 7h. 230 TactN="now-47h" 231 TretN="now-44h" 232 TremN="now-7h" 233 TpubN1="now-47h" 234 TsbmN1="now-39h" 235 TactN1="now-38h" 236 TdeaN="now-9h" 237 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 238 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 239 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 240 zsk2times="-P ${TpubN1} -A ${TpubN1}" 241 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 242 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 243 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 244 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 245 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 246 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 247 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 248 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 249 # Fake lifetime of old algorithm keys. 250 echo "Lifetime: 0" >> "${KSK1}.state" 251 echo "Lifetime: 0" >> "${ZSK1}.state" 252 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 253 private_type_record $zone 5 "$KSK1" >> "$infile" 254 private_type_record $zone 5 "$ZSK1" >> "$infile" 255 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 256 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 257 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 258 259 # 260 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 261 # algorithm rollover. 262 # 263 264 # Step 1: 265 # Introduce the first key. This will immediately be active. 266 setup step1.csk-algorithm-roll.kasp 267 echo "$zone" >> zones 268 TactN="now" 269 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 270 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 271 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 272 cat template.db.in "${CSK}.key" > "$infile" 273 private_type_record $zone 5 "$CSK" >> "$infile" 274 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 275 276 # Step 2: 277 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 278 setup step2.csk-algorithm-roll.kasp 279 # The time passed since the new algorithm keys have been introduced is 3 hours. 280 TactN="now-3h" 281 TpubN1="now-3h" 282 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 283 newtimes="-P ${TpubN1} -A ${TpubN1}" 284 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 285 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 286 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 287 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 288 # Fake lifetime of old algorithm keys. 289 echo "Lifetime: 0" >> "${CSK1}.state" 290 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 291 private_type_record $zone 5 "$CSK1" >> "$infile" 292 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 293 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 294 295 # Step 3: 296 # The zone signatures are also OMNIPRESENT. 297 setup step3.csk-algorithm-roll.kasp 298 # The time passed since the new algorithm keys have been introduced is 9 hours. 299 TactN="now-9h" 300 TretN="now-6h" 301 TpubN1="now-9h" 302 TactN1="now-6h" 303 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 304 newtimes="-P ${TpubN1} -A ${TpubN1}" 305 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 306 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 307 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 308 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 309 # Fake lifetime of old algorithm keys. 310 echo "Lifetime: 0" >> "${CSK1}.state" 311 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 312 private_type_record $zone 5 "$CSK1" >> "$infile" 313 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 314 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 315 316 # Step 4: 317 # The DS is swapped and can become OMNIPRESENT. 318 setup step4.csk-algorithm-roll.kasp 319 # The time passed since the DS has been swapped is 29 hours. 320 TactN="now-38h" 321 TretN="now-35h" 322 TpubN1="now-38h" 323 TactN1="now-35h" 324 TsubN1="now-29h" 325 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 326 newtimes="-P ${TpubN1} -A ${TpubN1}" 327 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 328 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 329 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 330 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 331 # Fake lifetime of old algorithm keys. 332 echo "Lifetime: 0" >> "${CSK1}.state" 333 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 334 private_type_record $zone 5 "$CSK1" >> "$infile" 335 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 336 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 337 338 # Step 5: 339 # The DNSKEY is removed long enough to be HIDDEN. 340 setup step5.csk-algorithm-roll.kasp 341 # The time passed since the DNSKEY has been removed is 2 hours. 342 TactN="now-40h" 343 TretN="now-37h" 344 TremN="now-2h" 345 TpubN1="now-40h" 346 TactN1="now-37h" 347 TsubN1="now-31h" 348 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 349 newtimes="-P ${TpubN1} -A ${TpubN1}" 350 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 351 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 352 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 353 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 354 # Fake lifetime of old algorithm keys. 355 echo "Lifetime: 0" >> "${CSK1}.state" 356 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 357 private_type_record $zone 5 "$CSK1" >> "$infile" 358 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 359 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 360 361 # Step 6: 362 # The RRSIGs have been removed long enough to be HIDDEN. 363 setup step6.csk-algorithm-roll.kasp 364 # Additional time passed: 7h. 365 TactN="now-47h" 366 TretN="now-44h" 367 TdeaN="now-9h" 368 TremN="now-7h" 369 TpubN1="now-47h" 370 TactN1="now-44h" 371 TsubN1="now-38h" 372 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 373 newtimes="-P ${TpubN1} -A ${TpubN1}" 374 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 375 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 376 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 377 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 378 # Fake lifetime of old algorithm keys. 379 echo "Lifetime: 0" >> "${CSK1}.state" 380 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 381 private_type_record $zone 5 "$CSK1" >> "$infile" 382 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 383 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 384
Indexes created Sat Feb 28 05:31:39 UTC 2026